Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

I’ve been actively involved in InfraGard for many years. InfraGard is a public/FBI partnership with a primary mission of protecting critical infrastructure. Because of this partnership, I began to wonder if the U.S government had anything I could leverage in my own business operations. The answer is, “yes.”

I’ve used the guidelines from the National Institute of Standards and Technology (NIST) for many years as a basis for building information security programs around the world. While these are excellent building blocks, they don’t address my training needs in preparing for a cyber attack. So I also leverage resources from the Department of Homeland Security (DHS) and other agencies.

Here’s a look at some of the resources I find useful in testing and training for a data breach:

NIST Computer Security Handling Guide In the back of this document (special publication 800-61) are table-top exercises to help train your incident response team. While a bit limited in scope, they are an excellent starting point at no cost to you.

DHS/FEMA Certified Cyber Security Training The online Domestic Preparedness Campus is a portal for 10 courses that address three demographics of your enterprise: Non-technical, Technical and Business Professional. While they are perhaps a bit broad and general at times, they are an excellent starting point for your enterprise.

The different courses include:

Information Security for Everyone

Cyber Ethics

Cyber Law and White Collar Crime

Information Security Basics

Secure Software

Network Assurance

Digital Forensics Basics

Business Information Continuity

Information Risk Management

Cyber Incident Analysis and Response

Homeland Security Exercise and Evaluation Program

This program from the DHS provides a standardized method of creating cyber security exercises. You work with a member of the DHS team to create and ultimately execute a testing program. My organization is currently setting up a tabletop exercise with DHS for all 23 of our organizational Information Security Officers next spring. For your company, I expect that the Training Exercises portion will prove the most valuable.

In total, they offer seven exercise types broken down into training and operational exercises.

Training Exercises 1. Seminar – A seminar is an informal discussion designed to orient participants to new or updated plans, policies or procedures. 2. Workshop – A workshop resembles a seminar but is employed to build specific products, such as a draft plan or policy. 3. Tabletop Exercise (TTX) – A table top exercise involves key personnel discussing simulated scenarios in an informal setting. 4. Games – A game is a simulation of operations that often involves two or more teams, usually in a competitive environment using rules, data and procedure designed to depict an actual or assumed real-life situation.

Operations-based Exercises 5. Drill – A drill is a coordinated, supervised activity usually employed to test a specific operation or function within a single entity. 6. Functional Exercise (FE) – A functional exercise examines and/or validates the coordination, command, and control between various multi-agency coordination centers. A functional exercise does not involve any “boots on the ground.” 7. Full-Scale Exercises (FSE) – A full-scale exercise is a multi-agency, multi-jurisdictional, multi-discipline exercise involving functional and “boots on the ground” response.

Cyber StormCyber Storm is a biennial exercise that provides the framework for a government-sponsored cybersecurity exercise. It is a combination of international government agencies, national and state government agencies and private industry. Its stated aims are to:

Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.”

Cyber Storm III was used to hone and tune the latest U.S National Cyber Incident Response Plan released early in 2011. The 2010 exercise had 60 companies participating across many industry sectors.It also tested the newly formed National Cybersecurity and Communications Integration Center, which is the “boots on the ground” hub for national cybersecurity coordination.

Managing your enterprise security and privacy risk posture can be a daunting task at times. Hackers are more sophisticated and coordinated in their attacks. It’s pretty tough out there right now but new tools, processes and procedures will ultimately gain the upper hand. You are not alone. There are a wide range of resources freely available to help build the skill sets of our teams. I remain encouraged and look forward to the battle with new hope and fortitude.

Legal Notice: The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent legal counsel.

About The Experian Data Breach Resolution Blog

The goal of this blog is to raise awareness about data breaches and data breach resolution considerations, issues and challenges.

Have you had a data breach? Contact us on our Rapid Response Hotline: 1-866-751-1323 or databreachinfo@experian.com